Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec mapping from central location

    Scheduled Pinned Locked Moved IPsec
    13 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tgreen
      last edited by

      Here's all the P2 Mappings:

      SITE A - SITE B
      P2 Tunnel LN - 10.0.1.0/24 RN - 10.0.2.0/24
      P2 Tunnel LN - 10.0.3.0/24 RN - 10.0.2.0/24

      SITE B - SITE A
      P2 Tunnel LN - 10.0.2.0/24 RN - 10.0.1.0/24
      P2 Tunnel LN - 10.0.2.0/24 RN - 10.0.3.0/24

      SITE A - SITE C
      P2 Tunnel LN - 10.0.1.0/24 RN - 10.0.3.0/24
      P2 Tunnel LN - 10.0.2.0/24 RN - 10.0.3.0/24

      SITE C - SITE A
      P2 Tunnel LN - 10.0.3.0/24 RN - 10.0.1.0/24
      P2 Tunnel LN - 10.0.3.0/24 RN - 10.0.2.0/24

      Firewall IPsec rules on all 3 have
      Protocol Any
      Source Any
      Destination Any

      Firewall LAN rules on all 3 have
      Protocol Any
      Source Any
      Destination Any

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        First off, set all of those .1/24 networks to .0/24 I do not think that is hurting anything but it is improper and makes accuracy sensibilities twitch.

        Are the phase 2 networks establishing when there is traffic? If not, look at the logs and see what the complaints are there. The responder is often the best place to look since it will log more information about what it didn't like.

        If not already set this way, set VPN > IPsec, Advanced Settings Logging controls to Diag for IKE SA, IKE Child SA, and Configuration Backend. Everything else should be Control.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T
          tgreen
          last edited by

          Sorry, the .1's were typos on my part, all are .0's

          Not sure what to locate in the Logs (Diag for IKE SA, IKE Child SA, and Configuration Backend. Everything else should be Control were all set on all units)

          Perhaps I'm not testing in an adequate way.  I'm trying to ping the LAN on site C from the LAN on Site B

          I'll keep trying though

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Are the phase 2 tunnels even establishing? Status > IPsec

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T
              tgreen
              last edited by

              I don't think so.  The Status shows the VPN is connected and below (+ Show child SA entries) only has the primary connection, not the second P2 at all

              From Site B to Site A (10.0.2.0/24 –> 10.0.1.0/24)

              • Show child SA entries
                10.0.2.0/24
                Local: c95ed0dc
                Remote: c244309d 10.0.1.0/24
                Rekey: 228 seconds (00:03:48)
                Life: 1181 seconds (00:19:41)
                Install: 2419 seconds (00:40:19) AES_CBC
                HMAC_SHA1_96
                IPComp: none Bytes-In: 3,024 (3 KiB)
                Packets-In: 36
                Bytes-Out: 10,944 (11 KiB)
                Packets-Out: 72

              Not showing anything for the second P2 (10.0.2.0/24 --> 10.0.3.0/24)

              In the SPDs of Site A 10.0.1.0/24 (Central Location)

              Source Destination Direction Protocol
              10.0.2.0/24 10.0.1.0/24 ◄ Inbound ESP
              10.0.3.0/24 10.0.1.0/24 ◄ Inbound ESP
              10.0.1.0/24 10.0.2.0/24 ► Outbound ESP
              10.0.1.0/24 10.0.3.0/24 ► Outbound ESP

              In the SPDs of Site B 10.0.2.0/24

              Source Destination Direction Protocol
              10.0.1.0/24 10.0.2.0/24 ◄ Inbound ESP
              10.0.3.0/24 10.0.2.0/24 ◄ Inbound ESP
              10.0.2.0/24 10.0.1.0/24 ► Outbound ESP
              10.0.2.0/24 10.0.3.0/24 ► Outbound ESP

              In the SPDs of Site C 10.0.3.0/24

              Source Destination Direction Protocol
              10.0.1.0/24 10.0.3.0/24 ◄ Inbound ESP
              10.0.2.0/24 10.0.3.0/24 ◄ Inbound ESP
              10.0.3.0/24 10.0.1.0/24 ► Outbound ESP
              10.0.3.0/24 10.0.2.0/24 ► Outbound ESP

              Not sure if that is helpful at all though!

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Those look OK but if the second P2 isn't coming up it's not going to work. Look for errors in Status > System Logs, IPsec

                https://doc.pfsense.org/index.php/IPsec_Troubleshooting

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • T
                  tgreen
                  last edited by

                  Ok, so I went through the TS guide and wasn't really finding much that coincided.  One issue being that the IPSec log is limited to 50 latest and there is a lot of 'fill' in the log.  I did however locate a "No Match" in the Set 2 log.  Not sure what it's trying to match exactly here, but it looks like the Site A is not passing back a properly.  I put the whole log here in case there's something of importance (and replaced private info)

                  Time Process PID Message
                  Jan 10 10:24:44 charon 01[CFG] vici client 6 disconnected
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>nothing to initiate
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>activating new tasks
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>received AUTH_LIFETIME of 27742s, scheduling reauthentication in 27202s
                  Jan 10 10:24:44 charon 11[CHD] <con1|4>CHILD_SA con1{5} state change: INSTALLING => INSTALLED
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>CHILD_SA con1{5} established with SPIs c558505d_i cd7d0aa4_o and TS 10.0.2.0/24|/0 === 10.0.1.0/24|/0
                  Jan 10 10:24:44 charon 11[CHD] <con1|4>SPI 0xcd7d0aa4, src 74.XX.XX.XX dst 75.XX.XX.XX
                  Jan 10 10:24:44 charon 11[CHD] <con1|4>adding outbound ESP SA
                  Jan 10 10:24:44 charon 11[CHD] <con1|4>SPI 0xc558505d, src 75.XX.XX.XX dst 74.XX.XX.XX
                  Jan 10 10:24:44 charon 11[CHD] <con1|4>adding inbound ESP SA
                  Jan 10 10:24:44 charon 11[CHD] <con1|4>using HMAC_SHA1_96 for integrity
                  Jan 10 10:24:44 charon 11[CHD] <con1|4>using AES_CBC for encryption
                  Jan 10 10:24:44 charon 11[CHD] <con1|4>CHILD_SA con1{5} state change: CREATED => INSTALLING
                  Here
                  Jan 10 10:24:44 charon 11[CFG] <con1|4>config: 10.0.3.0/24|/0, received: 10.0.1.0/24|/0 => no match</con1|4>
                  Jan 10 10:24:44 charon 11[CFG] <con1|4>config: 10.0.1.0/24|/0, received: 10.0.1.0/24|/0 => match: 10.0.1.0/24|/0
                  Jan 10 10:24:44 charon 11[CFG] <con1|4>selecting traffic selectors for other:
                  Jan 10 10:24:44 charon 11[CFG] <con1|4>config: 10.0.2.0/24|/0, received: 10.0.2.0/24|/0 => match: 10.0.2.0/24|/0
                  Jan 10 10:24:44 charon 11[CFG] <con1|4>selecting traffic selectors for us:
                  Jan 10 10:24:44 charon 11[CFG] <con1|4>selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
                  Jan 10 10:24:44 charon 11[CFG] <con1|4>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
                  Jan 10 10:24:44 charon 11[CFG] <con1|4>received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
                  Jan 10 10:24:44 charon 11[CFG] <con1|4>proposal matches
                  Jan 10 10:24:44 charon 11[CFG] <con1|4>selecting proposal:
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>maximum IKE_SA lifetime 28540s
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>scheduling reauthentication in 28000s
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>IKE_SA con1[4] state change: CONNECTING => ESTABLISHED
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>IKE_SA con1[4] established between 74.XX.XX.XX[siteB.somename.net]…75.XX.XX.XX[siteA.somename.net]
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>authentication of 'siteA.somename.net' with pre-shared key successful
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>received ESP_TFC_PADDING_NOT_SUPPORTED notify
                  Jan 10 10:24:44 charon 11[ENC] <con1|4>parsed IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
                  Jan 10 10:24:44 charon 16[CFG] vici client 6 requests: list-sas
                  Jan 10 10:24:44 charon 12[CFG] vici client 6 registered for: list-sa
                  Jan 10 10:24:44 charon 13[CFG] vici client 6 connected
                  Jan 10 10:24:44 charon 11[NET] <con1|4>received packet: from 75.XX.XX.XX[4500] to 74.XX.XX.XX[4500] (236 bytes)
                  Jan 10 10:24:44 charon 11[NET] <con1|4>sending packet: from 74.XX.XX.XX[4500] to 75.XX.XX.XX[4500] (380 bytes)
                  Jan 10 10:24:44 charon 11[ENC] <con1|4>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>establishing CHILD_SA con1{5}
                  Jan 10 10:24:44 charon 11[CFG] <con1|4>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
                  Jan 10 10:24:44 charon 11[CFG] <con1|4>10.0.3.0/24|/0
                  Jan 10 10:24:44 charon 11[CFG] <con1|4>10.0.1.0/24|/0
                  Jan 10 10:24:44 charon 11[CFG] <con1|4>proposing traffic selectors for other:
                  Jan 10 10:24:44 charon 11[CFG] <con1|4>10.0.2.0/24|/0
                  Jan 10 10:24:44 charon 11[CFG] <con1|4>proposing traffic selectors for us:
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>successfully created shared key MAC
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>authentication of 'siteB.somename.net' (myself) with pre-shared key
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>IKE_AUTH task
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>IKE_CERT_PRE task
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>reinitiating already active tasks
                  Jan 10 10:24:44 charon 11[IKE] <con1|4>remote host is behind NAT</con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4>

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Looks like your local and remote selectors are not right on the other side of that connection.

                    Not showing anything for the second P2 (10.0.2.0/24 –> 10.0.3.0/24)

                    Yeah, you're right. Sorry I missed it.

                    It looks like Site A is missing these:

                    SITE A - SITE B     
                    P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.2.0/24

                    SITE A - SITE C
                    P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24

                    There should be two phase 2 entries on site A for each site.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • T
                      tgreen
                      last edited by

                      There we go, now it's rocking.  For anyone that stumbles here looking for the same needs, here's all the P2 Mappings:

                      Site A (main centerpoint) 10.0.1.0/24
                      Site B (Remote locale 1) 10.0.2.0/24
                      Site C (Remote locale 2) 10.0.3.0/24

                      IPsec VPN Site A <–> Site B
                      IPsec VPN Site A <--> Site C
                      Goal if for Site C to access an IP at Site B without making a VPN from B --> C

                      SITE A - SITE B     
                      P2 Tunnel  LN - 10.0.1.0/24  RN - 10.0.2.0/24
                      P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24
                      P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.2.0/24

                      SITE B - SITE A     
                      P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.1.0/24
                      P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24

                      SITE A - SITE C     
                      P2 Tunnel  LN - 10.0.1.0/24  RN - 10.0.3.0/24
                      P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24
                      P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.2.0/24

                      SITE C - SITE A     
                      P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.1.0/24
                      P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.2.0/24

                      Firewall IPsec rules on all 3 have
                      Protocol      Any
                      Source      Any
                      Destination  Any

                      Firewall LAN rules on all 3 have
                      Protocol      Any
                      Source      Any
                      Destination  Any

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        That doesn't look right either.

                        SITE A - SITE B   
                        P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24

                        SITE A - SITE C   
                        P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24

                        Don't want the same traffic selector on SITE A to two different sites.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.